Re: Check cookie with backend1 before forwarding to backend2

Tue, 28 Oct 2014 06:24:22 -0700 

On 28.10.2014, at 10:13, Julian Pawlowski <[email protected]> wrote:
> I was wondering if there is a way to have HAproxy check for an existing 
> Cookie the client sends and have it verify with a specific backend (say 
> backend1). Based on that backends HTTP error code (e.g. 200 or 403), HAproxy 
> should allow forwarding to backend2. Of course this would need to be checked 
> for every request but as this is not a high traffic site that wouldn’t be an 
> issue.

Okay I guess I made some progress. Maybe that helps for somebody else to give 
me a helping hand in completing this.

My primary backend application now once sends a customized header like these 
after the user was successfully authorized:

        X-APPNAME-AllowUser: APPSESSION=lkjhgsadkfjhsadjfhg
        X-APPNAME-Validity: <UNIXTIMESTAMP-until-session-ends>
        Location: /backend2

I think I can now add some ACLs in the HAproxy configuration of my primary 
backend:

        acl allowAPPNAMEUser            res.hdr(X-APPNAME-AllowUser) -m found
        acl disallowAPPNAMEUser res.hdr(X-APPNAME-DisallowUser) -m found
        http-response set-map(/var/lib/haproxy/appname_user_sessions.lst) 
%[res.hdr(X-APPNAME-AllowUser)] %[res.hdr(X-APPNAME-Validity)] if 
allowAPPNAMEUser
        http-response del-map(/var/lib/haproxy/appname_user_sessions.lst) 
%[res.hdr(X-APPNAME-DisallowUser)] if disallowAPPNAMEUser

I tried these but don’t know if they are actually working cause I wasn’t able 
to get anything about it from the logfiles.
Also the map files are not written, even though I created empty files and 
ensured r/w access for the HAproxy daemon user.

For /backend2, I think I might just need to add an ACL to my frontend similar 
to this but I’m not sure:
use_backend bk_backend2 if { 
hdr_sub(cookie),map_str(/var/lib/haproxy/appname_user_sessions.lst) -m found }

About session expiration: I think I cannot have HAproxy make any cleanups on 
it’s own beside using the info should a user explicitly use the logout function 
via the primary backend (X-APPNAME-DisallowUser ...). The plan is to have a 
cronjob running cleaning the appname_user_sessions.lst based on the second 
column I added from X-APPNAME-Validity header.

However, I’m still stuck into this somehow.
Any help would be very much appreciated (it’s for an OpenSource project if that 
counts).


Many thanks in advance.

Julian

Reply via email to